RSA: Microsoft Releases U-Prove CTP

Microsoft on Tuesday released a community technology preview (CTP) of its U-Prove cryptographic technology, as well as opened up its patented crypto algorithms under the company's Open Specification Promise (OSP).

The company also open-sourced two SDKs, C# and Java editions, under the Free BSD license for integrating U-Prove into open source identity selectors. The release will be accompanied by preview code integrating U-Prove with ActiveDirectory Federation Services v2, Windows CardSpace v2 and Windows Identity.

Scott Charney, vice president of Microsoft's Trustworthy Computing group, announced the U-Prove CTP during his opening keynote at the annual RSA Security Conference, under way this week in San Francisco.

"The idea is to get more people to embrace these kinds of technologies," Charney told attendees packed into the Moscone Center auditorium. "Then we can create the identity metasystem that [Microsoft] has been talking about for a while now."

The brainchild of Microsoft's ID access architect Kim Cameron, the identity metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations and providers.

Microsoft acquired U-Prove two years ago from Montreal-based privacy vendor Credentica. Developed by the company's founder, well-known security expert and cryptographer Stefan Brands, U-Prove is an encryption and authentication system designed to allow users to conduct secure digital transactions while revealing as little about themselves as possible -- a process called selective disclosure.

Brands, along with colleagues Greg Thompson and Christian Paquin, joined Microsoft's Identity and Access group at the time of Credentica's
acquisition.

Microsoft is now working with a German organization on a prototype national ID card system based on U-Prove, Charney said. The company is working with the Fraunhofer Institute for Open Communication Systems in Berlin on a system that will give end users control over the amount of personal data they share. Germany is planning to issue electronic ID cards to its citizens in November.

Charney also talked about the growing security risks presented by cloud computing, and characterized it as a shared responsibility between the user and the cloud services provider. In fact, he said, the cloud has the potential to shift the balance of power between individuals and the state.

"Everything will go to the cloud if the vision is right," he said, "[including] your health records, your tax records, your diary -- which you'll want to access from all sorts of different devices. As we move more and more of this data to the cloud, it means governments and litigants can go to the cloud and get that data without ever coming to the citizen. The question is: Is that the right place to be or not?"

At one point, Charney added himself to the growing list of advocates for mandatory quarantines of malware-infected PCs. He likened consumers running malware-infected PCs to smokers exhaling second-hand fumes.

"The [Environmental Protection Agency] comes out with second-hand smoke [warnings] and suddenly smoking is banned everywhere," he said "You have a right to infect and give yourself illness. You don't have the right to infect your neighbor. Computers are the same way...you're not just accepting [the risk] yourself. You're contaminating everyone around you."

Published by Microsoft in 2006, the OSP is Microsoft's "irrevocable promise not to assert" its patent claims on a list of technologies. Among other things, the OSP covers many WS specs (WS-Security, WS-Management, WS-Trust, etc.), as well as SOAP and WSDL specifications.